Technical excellence and experience world wide.
We are information security at its best.
We are information security at its best.
Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence. With offices in Brazil and Portugal, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.
We are strong believers in technical excellence and count with extensive experience in delivering complex projects for large customers from different industries such as financial, telecommunications, technology, government and e-commerce. We guarantee the best results to meet your security demands.
The passion for Information Security drives us, and is shared by all members of our team.
Present in Brazil and Portugal, our professionals contributed with major companies around the world and possess the indispensable know-how to deal with projects of great complexity and criticality.
Blaze Information Security has experienced consultants certified with Offensive Security Certified Professional (OSCP) and other relevant industry certifications. Combined the team has been responsible for the publication of more than 10 CVEs thus far.
It is common for organizations to take advantage of multiple layers of security controls that include web gateways, firewalls, anti-virus, intrusion detection systems and other mechanisms. Combining them together is part of a popular approach known as defense in depth.
Blazeâs Defense Mechanisms Resilience Testing was designed to assess the effectiveness of the current defense mechanisms against several advanced scenarios to verify which layers can be pierced by an attacker with varying levels of sophistication.
This service is divided in three tiers, each of them with its own degree of effort.
The first tier uses simple malicious artefacts, such as a well-known malware or exploit. This first phase of the test is designed to assess the resilience of the endpoint and network-based protection mechanisms currently in place. Usually properly configuredÂ IDS, anti-virus and endpoint security software should be able to detect and mitigate the malicious artefact before it materializes into a threat to the companyâs IT environment.
The second step of the test comprises of sending the same artefacts wrapped in different types delivery methods and using simple artefacts compiled in other executable formats. In this phase the artefacts are packed using public packers, sent compressed in formats likeÂ ZIPÂ andÂ RAR, or in the case of exploits have their payload replaced with more advanced, encoded shellcodes.
The third and last part of testing relies on a number of advanced techniques to attempt to get past the defenses in place. For this we use techniques such as payload obfuscation for evading IDSes, web gateways and anti-virus, bespoke executable packers, custom-built artifacts and the usage of different payloads like malicious Office documents.
Security Development Lifecycle orÂ SDLCÂ is a software development module that supports developers to build more secure software in compliance with all security requirements.
Even as early as in the project conception and requirements gathering, it is important to correlate all data to the security risks that they may present or favor. With a mapping of the possible threats brought by the systemâs requirements, information security solutions are added to the development process.
A project built withÂ SDLCÂ presents greater resilience against vulnerabilities and threats, reducing the costs, chances of fraud and future maintenances to correct problems originated from security flaws.
Activities of theÂ SDLCÂ process involve the following tasks:
The final result aims to reduce the attack surface offered by the system under scope and strengthen its confidentiality, integrity and availability.
Our security-oriented smart contract review follows an organized methodology with the intent to identify the largest number of vulnerabilities in the contracts under scope from the perspective of a motivated, technically capable and persistent adversary.
Special attention is directed towards critical areas of the smart contract such as burning of tokens and functioning of the multi-signature. Our process also looks into other common implementation issues that lead to problems like reentrancy, mathematical overflows and underflows, gas-related denial of service, etc.
Blaze's smart contract review methodology involves automated and manual audit techniques.
The applications are subjected to a round of dynamic analysis using tools like linters, program profilers and source code security scanners. The contracts have their source code manually inspected for security flaws. This type of analysis has the ability to detect issues that are missed by automated scanners and static analyzers, as it can discover edge-cases and business logic-related problems.
Threat Intelligence provides tangible benefits to organizations, allowing them to develop a proactive security posture regarding information security and risk management, replacing an onerous reactive one. The greatest benefit it brings is to provides the customer the chance to anticipate threats before they become an imminent risk to the business.
In the threat intelligence service offered by Blaze Information Security, the gathering of information is achieved predominantly through automated fashion, using home made tools and scripts, with outputs validated by our intelligence analysts. The collected data is posteriorly correlated and interpreted in order to imbue it with business and technical context so it can become useful to the decision making process of our customer.
The result of this service provides our customers the opportunity to optimize the protection of their assets, direct efforts properly in order to mitigate identified problems and anticipate threats. Thus enhancing the resilience of the Organization against cyber crimes, diminishing the risk and losses associated with fraud and malicious activities to the business.
As of today, VoIP security architectures are limited and effective security mechanisms are required for a secure environment. VoIP architectures are sensitive to both network level attacks (like for instance, Denial of Service) and to VoIP specific vulnerabilities. The latter can be performed at the protocol level (signaling plane, or at the data plane) as well as at the management level.â¨Leaving the security of this environment unattended may expose a company to:
Our service aims to minimize those aforementioned risks imposed by VoIP vulnerabilities and misconfigurations, anticipating possible attackerâs moves and providing adequate mitigation measures for them.
External penetration test consists in identifying vulnerabilities and threats that your business may face from the perspective of an external adversary.
Security tests are developed through the controlled attack simulation and tailored to our client's business. The main objective of this service is to be ahead of the game of actions commited by criminals and malicious hackers, such as financial fraud, sabotage, unauthorized access, leakage of data and sensitive information, espionage, denial of service attacks and others.
Also, the results of a penetration test can be used for audit processes that require security testing, like PCI DSS and ISO/IEC 27001.
This type of security testing aims to identify and examine threats and vulnerabilities that may cause a negative impact to the business from the perspective of a potential internal attacker. The tests are developed in a way to simulate well-coordinated attacks under the scenario where an internal agent, such as a disgruntled employee, who has some basic access to the internal network.
Several financial fraud and other threats stem from the exploitation of vulnerabilities present within the internal infrastructure.
Many corporate network breaches start with insecure web applications and APIs due to a number of factors, among them large quantity of different technologies and short development deadlines leading to the introduction of security defects.
The aim of web application and API security testing is to identify vulnerabilities that can cause direct interference to the continuity and resilience of the business, as in many cases web applications and APIs often handle sensitive information and other resources considered vital to an organization.
The assessments are performed by our expert consultants in a manual fashion, aided by the development of tools and scripts specific to each application under test. We go above and beyond common issues found in OWASP Top 10 and also cover many modern vulnerability classes affecting web-based technologies.
With the result of the assessment our clients can protect their assets and direct the efforts to mitigate the identified issues, enhancing the robustness and bolstering the resilience of the application or API against cyber attacks.
The meteoric rise of business-critical mobile apps brings new risks for organizations that rely on mobile devices and applications on a daily basis. Another risk factor for mobile application is the current security maturity level for such platforms -- many risks are still not well understood and the lack of well-established security practices and frameworks, as well as the overall lack of maturity of application developers make the mobile world more prone to vulnerabilities than others.
Penetration test of mobile apps involve simulating the actions of a skilled attacker to identify vulnerabilities both in the application's supporting infrastructure (backend APIs and databases), in the communication between the app and the server, and an analysis of the application per se, along with its interaction with the device.
Blazeâs security consultants are well versed with penetration testing of Android and iOS applications.
With the results of the analysis the organization can improve the security of its business-critical mobile applications and reduce the risk to minimum levels.
With the growing popularity of thin clients and virtualized remote environments, it is common that companies adopt some sort of remote access solution like Citrix or Terminal Services. In general these systems are configured to allow access only to the applications the user needs to perform his or her duties, for example to use a spreadsheet software or a web browser.
In many cases the configuration of the restricted environment is not locked down enough and may have holes, or implementation issues, allowing a user to escape the restrictions imposed by the environment and obtain unauthorized access to other parts of the system such as command prompts, filesystem, and others. This turns the system a potential vector of attack to the internal network.
Blaze Security performs privilege escalation tests of restricted environments and kiosks in order to better illustrate the risk a misconfigured technology might bring to your organization and help you with best practices and procedures to protect your environment.
The constant discovery of new vulnerabilities brings new challenges to the security management of an organization. To keep your IT staff up-to-date with the latest cybersecurity trends and threats usually requires a massive financial investment and time.
With the intent to help our clients in this matter, our vulnerability management service periodically monitors the security prosture of your IT infrastructure, web and mobile applications to identify the level of risk they may bring to your organization.
The analysis takes place in a daily basis, where our consultants perform security tests against the systems under scope. When a vulnerability is identified, the client's IT team is immediately notified through the dashboard of our in-house developed VMS (Vulnerability Management System).
Why to hire our vulnerability management services?
Our vulnerability management service was designed to work in a modular fashion, giving the opportunity to clients to opt for a continuous security management specific to the relevant technologies of their business.
The existence of software vulnerabilities often originate in the source code. Our experienced consultants are able to perform code review of software written in popular languages such as Java, Ruby, Python, C/C++, PHP, ASP.NET, C#.NET as well as less popular ones such as Solidity and others.
Our analysis consists in code scanning using security-focused static analysis tools and use our man-powered expertise to perform manual code review to identify vulnerabilities and design errors that can pose a serious risk to the application.
The result of the assessment is a document explaining the issues discovered along with information advising your development team how to fixing the vulnerabilities identified and, perhaps more importantly, how to prevent similar errors in the future.
The diversification of applications on the Internet has been accompained with the rise in the number of security incidents. The severity of an attack may vary, and in some cases it might cause serious operational impact in the business, ultimately causing major financial losses.
Incident response is the rapid reaction team used to manage the consequences of a breach. The main objective of an incident response is to minimize the impact of a security compromise and allow a rapid recovery of the systems, guaranteeing business continuity, as well as investigate the root cause of the breach and improve the security posture of the systems in order to reduce the risk of successful incidents in the future.
Blaze Information Security offers security assessments of products developed in-house or that are commercial off-the-shelf.
The assessment consists in the evaluation of all security aspects that will be impacted by a new application or device that will be inserted in the corporate network. A detailed analysis of the attack surface of the product under test is performed, taking into consideration its security expectations and objectives and threat model. In general, product security aims to verify the resilience of all components of the product under test -- typically, this service is composed of infrastructure testing, code review, architecture analysis and application security, as well as the creation of bespoke scripts and custom tools for analysis, such as fuzzers.
Our offering benefits vendors that want their product to be evaluated from a security point of view before it is shipped to the market, and for organizations that want to make sure that bringing in another appliance or software to their network will not cause an adverse impact to its security posture.
We offer trainings with variable duration and depth to help developers to improve the security of their code.
At present we offer trainings in the following areas:
Fireguard is a secure, encrypted file sharing tool that offers a private and controlled environment to seamless share documents and files with customers, other companies and internally, all in compliance with European data protection law GDPR.
To ensure the highest levels of security, download links automatically expire after a pre-defined number of downloads, hours or days. Fireguard offers optional integration with popular DLP and antivirus in order to further protect the data sent, and implements its own Web application firewall for extra protection.
Lantern is Blaze's exclusive vulnerability management platform used for continuous security and compliance monitoring that can keep pace with the dynamic IT infrastructure of modern organizations.
Lantern consolidates the results of different scanners, automated tools and manual security assessments in one platform, providing your organization a 360 degrees insight of vulnerabilities in your applications, network and IT assets, helping you understand, quantify and prioritize your cyber risks.